Browser findingsAs expected, each Web browser had its fair share of security advantages and disadvantages. All of the browsers reviewed here, save Google Chrome, have had years to mature in response to previous malicious attacks. All of the browsers had SSL/TLS (Secure Sockets Layer/Transport Layer Security) support, anti-phishing filters, pop-up ad blocking, cross-site script (XSS) filtering, automated updates, private session browsing, and cookie handling. The following review summaries highlight their differences. Click the links to the full reviews for more detail. See also the table, "Web browser security features," comparing security features among all of the browsers.

Google Chrome 1.0Google's first browser is a security paradox. It begins with the best browser security model, but then layers questionable decisions over a dearth of security features. It utilizes Windows Vista's new security features even better than the browser that came with Vista. JavaScript runs inside of a virtual machine environment, where it is further restricted.

Unfortunately, Chrome has almost no significant security granularity, and no separate security zones in which to place Web sites with different trust expectations. More disappointing, you cannot disable JavaScript at all. This is a huge security oversight, even if Google believes the browser can trap malicious JavaScript within the sandbox. Perhaps most troubling, Chrome has been plagued by relatively simple buffer overflow problems.

Chrome has the potential to be one of the most secure Internet browsers, but its initial showing only leaves significant questions. Read the complete review.

MozillaFirefox 3.12Mozilla's Firefox deserves the growing market share it has today. It is a battle-tested veteran with best-in-class cipher support, excellent add-on management, and growing enterprise features. Firefox has a fair amount of security granularity and is the only browser besides Internet Explorer to provide multiple security zones, although they are not easy to configure.

JavaScript can be disabled on a global basis, but it takes a separate add-on (called NoScript) to enable or disable it on a per-site basis. Using the About:security option in the URL bar allows the user to configure dozens of features and security settings, but the only enterprise deployment and management tools are offered by third parties. Firefox makes a good browser choice for anyone, especially for users who want to avoid the risk of native ActiveX support. Read the complete review.

Microsoft Internet Explorer 8 beta 2Internet Explorer is the most frequently attacked browser in the world. Its popularity, complexity, and support of ActiveX controls gives it an elevated risk as compared to the rest of the competition. Still, it also has best-in-class enterprise support, superior security granularity, and multiple security zones in which to deploy Web sites with different trust requirements. It's the only browser with built-in parental controls and a granular add-on manager.

It is also the only browser with serious enterprise management features, providing more than 1,200 customizable settings across multiple security zones. For example, the U.S. government requires what is called FDCC (Federal Desktop Core Configuration) on all of its software, and FIPS (Federal Information Processing Standards) ciphers only. Tens of millions of PCs fall under these requirements. Only IE allows these policies to be enforced across all desktops. It is difficult to achieve with any of the other browsers.

IE 8 is bringing many new features to the table, including per-user and per-site control of ActiveX programs and other add-ons. Its improved base security model is second only to Google's Chrome, and nearly every security feature it has is mature and built for enterprise use. Read the complete review.

Opera 9.63Opera is a solid browser that deserves more market share in the PC world. It has impressive security granularity, good anti-DoS handling, strict Extended Validation certificate handling, and many unique features. Its lack of market share means it hasn't been as tested as Internet Explorer and Firefox, but it has been involved in fighting many found vulnerabilities.

On the downside, Opera doesn't support DEP (Data Execution Prevention), ASLR (Address Space Layout Randomization), or ECC (Elliptical Curve Cryptography) ciphers. These deficiencies need to be corrected before its use can be more highly recommended. Even now, I invite readers to check out Opera. I think many people will be pleasantly surprised. Read the complete review.

Apple Safari 3.2.1Apple's Safari browser has many good features, but lacks security granularity and zones. It has good pop-up blocking, good local password protection, and a surprisingly accurate anti-phishing filter. Unfortunately, DEP is disabled, something that needs to be corrected. Safari has the weakest cipher support, failing to offer AES ciphers, 256-bit keys, or ECC ciphers.

Safari always automatically prompts the user before downloading files, and it prevents some high-risk files from being executed before downloading. Safari has good default cookie control. It is one of only two browsers in this review (the other is Chrome) to prevent all writes by third-party cookies by default, which is a nice privacy bonus. Although local password protection is strong, Safari had the weakest remote password handling of the bunch. Safari is a great-looking browser but a mixed bag with respect to security. Read the complete review.